The Journal of AUUG Inc. Volume 24 ¯ Number 2 June 2003
Features:
Microsoftens 10 OpenBSD 3.3 Released 11 Linux System’ Administrator’s Security Guide (Part 1) 15 The Roadman for FreBSD 5-stable 20 Mail and Dynamic IP 24 Intrusion Detection System (Part 1) 25 FreeBSD 5.1 Release Process 40 SCO-vs.-IBM: the Open Source Initiative Position Paper on the Complaint 41 AUUG 2003 Systems Administration Symposium Photo Gallery 57 NetBSD 1.6.1 CD 58
News:
Public Notices 4 AUUG: Corporate Members 9 AUUG Conference 2003 Invitation 59 AUUG Membership Renewal 61 AUUG: Chapter Meetings and Contact Details 63
Regulars:
President’s Column 3 My Home Network 4
ISSN 1035-7521 Print post approved by Australia Post - PP2391500002
AUUG Membership and General Correspondence The AUUG Secretary PO Box 7071 Edi oria Baulkham Hills BC NSW 2153 Con Zymaris auu.qn@auu,q.or,q.au Telephone: 02 8824 9511 or 1800 625 655 (Toll-Free) I imagine I’m not alone in expressing fond memories Facsimile: 02 8824 9522 Email: [email protected] of both Carl Sagan and Stephen Jay Gould. Both of these gentleman were not only practicing scientists AUUG Management Committee but also exemplary communicators of science and of Email: [email protected] the technical, complex and beautiful cosmos that we inhabit. President Greg Lehey PO Box 460 Through his combination of vision and chutzpah, Echunga, SA, 5153 Sagan caused us to pause for a moment and consider Bus. Tel (08) 8388 8286, Mobile 0418 838 708, Fax (08) 8388 8725 the majesty of star-stuff, of galaxies and of the human
Adrian Close It seems to me that many non-computer-scientists Ph: +61 7 5596 2277 Fax: +61 7 5596 6099 are rushing to define how we technologists should go Mobile: +61 417 346 094 st
Mark White Why are groups like AUUG’s members well placed to apviva technology partners help bring about an increased enlightenment amongst P. O. Box 1870, Toowong QLD 4066 the IT laity?. To be franl;, it all boris down to having Bus Tel 07 3876 8779, Mobile 04 3890 0880 the kind of mind that just gets ’it’. Further, this
AUUGN Vol.24, No.2 - 1 - June 2003 AUUGN Editorial Committee
C niribuiio The AUUGN Editorial Committee can be reached by sending emil to: auu,~n@auu~.or~.au
Deadlines for AUUGN Or to the following address: in 2093 AUUGN Editor Editor: Con Zymaris Volume 24 ~ Number 3 - September 2003: August PO Box 7071 Baulkham Hills BC NSW 2153 30t~,, 2003 Sub-Editors: Volume 24 o Number 4 - December 2003: November Frank Crawford, Mark White th, 15 2003 Contributors: This issue would not have happened without the transcription and editorial efforts of Gary R. Schmidt" <,[email protected]>, Rik Harris
AUUGN Submission Guidelines
Submission guidelines for AUUGN contributions can be obtained from the AUUG World Wide Web site at: ¯ www.auug.org.au
Alternately, send email to the above correspondence address, requesting a copy.
AUUGN Back Issues
A variety of back issues of AUUGN are still available. For price and availability please contact the AUUG Secretariat, or write to: AUUG Inc. Back Issues Department PO Box 7071 Baulkham Hills BC NSW 2153 Telephone: 02 8824 9511
Conference Proceedings A limited number of copies of the Conference Proceedings from previous AUUG Conferences are still available. Contact the AUUG Secretariat for details. Mailing Lists
Enquiries regarding the purchase of the AUUGN mailing list should be directed to the AUUG Secretariat.
Disclaimer
Opinions expressed by the authors and reviewers are not necessarily those of AUUG Inc., its Journal, or its editorial committee.
Copyright Information
Copyright © 2003 AUUG Inc.
All rights reserved. Portions © by their respective authors, and released under specified licences.
AUUGN is the journal of AUUG Inc., an organisation with the aim of promoting knowledge and understanding of Open Systems, including, but not restricted to, the UNIX@ operating system, user interfaces, graphics, networking, programming and development environments and related standards.
Copyright without fee is permitted, provided that copies are made without modification, and are not made or distributed for commercial advantage.
AUUGN Vol.24 ¢ No.2 - 2 - June 2003 site at President’s C lumn http: //www. auug, org. au/publications/press / SCO- stance.html. The following day revealed the most Greg Lehey
There are so many reasons to find the lawsuit completely ludicrous. I’ve summarized some of them at http://www.lemis.com/grog/sco.html, and I’m still doing so. At the end of May, AUUG made its standpoint clear with a press release, now on our web
AUUGN Vol.24 o No.2 3 - June 2003 Public No ces :My Home Network Upcoming Conferences & Events (J ne 2003) By: Frank Crawford
AUUGN Vol.24 o No.2 - 4 - June 2003 the middle of some crucial Windows files, at that, that it would take most of the 40GB disk. On the other hand, Linux spreads across multiple partitions Well, now I decide to really start looking at what is and disks happily, so it can use some of the 40GB going on, and my first step is to reboot into Linux, disk and the 20GB disk. which is also on this system. So, being from the old school, and doing the simplest things first, I just ran To copy the Windows XP partition, all I could really a "dd’ across the disk, and sure enough, the Linux use was Norton Ghost, and while it had problems kernel spits out disk error messages in the Windows earlier with the bad blocks, there are options to partition. Now, why didn’t Windows do this??? continue past them. So firstly, copy the partition to a Anyway, back to reports. Disks for some time have new disk. Next, copy the Linux partitions to the new had some form of self test capability, called SMAt~, disks, swap disks and boot. Now, while Ghost can and one of the recent items in the kernel-utils copy Linux ext2/ext3 partitions, it does seem to have package is "smartd’ and "smartctl’, to monitor and some issues. I much prefer to use dump/restore to report on the disk. So, kicking that off (and it did create a new partition. In fact, I’ve done this so often have some issues) it agreed that there were problems that I’ve written a little script to do the copy. with the disk.
Now, I haven’t ever had any disk problems with my home network, although at work I had problems some time back. To correct this I just mapped out the bad blocks and continued on. Worst case would have been to do a low-level format of the disk. Now, all this was for SCSI disks, but I wouldn’t expect that much difference for IDE. I couldn’t have been more wrong. Firstly, for retail IDE disks, there is no capability for bad-block mapping, no low-level format utilities, no support of any type for handling media errors. The only option is to return the disk under warranty. Even this is a bit of an issue, as recently Seagate has changed the warranty period from 3 years to 1 year for new disks.
As the disk was nearly 9 months old, I had to return it directly to Seagate, after obtaining an RMA number. To do this I had to download the SeaTools Disk Diagnostics from Seagate’s site (http://download.sea~ate.com/seatools/), run it and # :Now update generate a diagnostic report. There are a number of different versions of this, including Windows, Linux grubLpre_~_~ i~ afiX=$grubdir ., and stand-alone (i.e. DOS) versions. I chose the stand-alone version, so I could check all my Seagate disks (an advantage of standardising). The procedure $grub sh~’i~ =~batc~ was basically, download, run the self-extracting device (hdO) executable to create a bootable floppy, boot floppy tO:St." (~dO~;:O~) A~dP .$ fSgCe_lba and run the test. While there are a number of test p:~:f:iX~$ grub_pr e fix levels, in this case the simplest, which is reading the quik: SMART results from the disk, verified the fault and EOF .... generated a failure report to go with the RMA. To exit 0 obtain an RMA, I connected to http: //www.sea~ate. corn/supp ort/service and Now this script does some things the way I want, in selected "Drive Return Procedure" item 3 (RMA). particular setting the forced check of the disk to once Once this was done, I was in a position to return the every 20+ mounts or 6 months. More importantly, disk, but I was told that it could take up to six weeks "grub’, the boot loader of choice for Red Hat 8.0, is a for a replacement disk to be returned (Seagate return royal pain to install on anything other than the an equivalent disk, and then repair the faulty disk current boot disk. The parts of the scripts that relate which returns to their spares). In the end, it only to "grub’ come from some hunting on the grub took three weeks, and I could track it via Seagate’s maintainers mailing list (see Google to find it) and I’m Website. not 100% sure that it works fully. If you want to get into more fun with "grub’, try it with mirrored system Now, given that I would lose all the data on the disk I disks. You need something like this repeated determined to copy everything I could. I borrowed a multiple times, and the standard script, "grub-install’, 40GB disk and had an old 20GB disk around, so I set doesn’t know what to do with "rod" devices. I should about trying to squeeze things onto the 60GB of add that I did modify this script a little for my copy, space. Given that I prefer to only have a single as I was going from hda to partitions on both hdb and Windows partition (now running NTFS) it was obvious
AUUGN Vol.24 ~ No.2 - 5 - June 2003 hdd, but I will leave that as an exercise for the reader. remote restores and other tasks. The package can be obtained from http: //mkcdrec.ota.be/, and is Anyway, after all this, Linux was copied and running currently up to version 0.7.1 (released March 2003), on the new disks, Windows was copied, but still although I only have 0.6.7 at present. The mkCDrec broken on the new disks and I was ready to ship off project does not try to do everything itself, but rather the faulty disk. makes use of other tools to do the real work.
Now back to Windows XP not working. It was obvious Now in addition to the basic system there is a that something was wrong with the system, and with additional package of useful utilities that can be everything built into the system registry it is not an downloaded to supplement the package. This easy thing to fix. Just as much of a problem was that includes partition editors (’parted’), salvage tools the fflesystem for my Windows XP system is now (’recover’, "e2salvage’, etc), memory testers and, most NTFS, which is not writable by anything except important for me, an offline NT password editor, Windows. (Well there is experimental write support in "chntpw’. In fact "chntpw’ allows far more than just Linux, but it looks very, very dangerous.) I did this changing passwords, it can be used to make offline both because I believe that NTFS is a far superior file changes to Windows Registry files. Obviously, since system to FAT; and because FAT32 filesystems isn’t Microsoft don’t supply any documentation about the supported for a size greater than 32GB (even though registry structure, most of the details have been it can be done). found through trial and error, and as such, it should be used at your own risk. The home for this utility There were a couple of steps I took to try and rectify seems to be the problem. Firstly I installed the Windows XP http://home.eunet.no/~pnordahl/ntpasswd/ Recovery Console on the disk, which allowed me to and also seems to have a bootable disk for accessing access the system to both read and write files. I NTFS filesystems. ended up finding where Windows stored the Registry Files (in "%SystemRoot%/System32/Config"), and However, in my case this wasn’t necessary, as I where it stored backup copies copied the registry files and worked on them on the ("%SystemRoot%/Repair"). However, I also discovered Linux system, rather than trying anything directly on that there were few tools to edit it, and that the saved the Windows partition. Unfortunately, while I could versions were overwritten by the Recovery Install I’d look at everything, I could find nothing that seemed to done right back at the start. be wrong.
One feature of the Recovery Console (not to be Ultimately, after a few weeks of poking and prodding confused with the Recovery Install) is that it can list, and trying different things, none of which worked, I enable and disable system devices and services, so decided to give up and reinstall from a very old image you can try and recover from problems with bad I had, from well before the upgrade to Windows XP. I devices, etc. So, with a bit of paper and a lot of time, then followed this by an upgrade to Windows XP and I stopped most items that looked like they could be all the relevant software (or at least those I could problems. After a little of this I decided to see if there remember :-)). really was a problem with the hardware, and installed a second copy of Windows XP on the same disk but in At this point you would think I would be out of the a different directory. This worked fine, and everything woods, but no. My replacement disk had arrived was okay in this implem.~entation, except that most of back and I went to install it (after checking that it was the programs I wanted to use, were not available. To good ;-)). Again Linux copied fine, and again Windows go any further with this installation I would have to XP was another matter. reinstall everything! Now, this time I was sure something strange was This new installation did give me one additional going on, since everything was running on the other capability, it made it much easier to copy files in and disk, and yet things just seemed to hang up with the out of the disk. It also gave me a working registry to new disk. After playing around a little bit more, I compare the old system with. The only thing was, I stumbled on the issue, at least for this copy. For didn’t have any tools to examine the broken registry some reason, even though I followed all the with, or so I thought! restrictions in copying, Windows had decided that the new disk was drive D: and a number of the drivers Tools to do offline editing of the Windows Registry not surprisingly referred to drive C:. After a week of appear to be very rare, and most things I found that searching and reading, on the Symantec site I tracked mentioned it cost money and yet didn’t seem to do down an option to clear the drive signature that what I wanted. However, as it turned out, there was Windows XP (and 2000) puts on each disk, when it one utility I already had that would do just what I copies the partition. By doing this, it forces Windows wanted, and yet it took me two weeks to find it. to "reinstall" the disk, and correctly identify it as a new C: drive. Of course the obvious question after Recently I downloaded an emergency package for this second problem is, "was this the same problem Linux call "mkCDrec’, which allows you to create an that caused me to reinstall?". Unfortunately, I can’t emergency recovery CD for your Linux system. It answer that, as I no longer had a copy of the original includes the ability to back up the system, perform system. The problems were a little different, but that
AUUGN V01.24, No.2 - 6 - June 2003 may just have been different manifestations of the same problem. So, what do others do for their home network? What other disasters have you had and had to recover from. So, after a month or more of installation, Let me know, or better still, write it up and let reinstallation, changing and exploring, what did I everyone know. learn. Firstly, Unix/Linux systems are much simpler to debug and diagnose problems. Under Windows, most critical information is either in binary files, with no easy tools to process in an emergency, or very basic debug output is written to files in whatever fashion the original programming team deemed fit. For Unix most initial data is in ASCII fries and in standard locations. Even more, because it is so common, it is a fairly standardised format. I have :5 servers as follows these are a!l new Secondly, even at the most basic level, most tools are available for use, and work as they do when the system is fully configured. As well, the lack of HP900.0 series ~. A400:-rack:!~:!~t ~:~X se~ers reliance on a GUI makes much more information with i~ual RiSC .~/oceS~ available and written to the console during boot and and running. In fact the continuing messages written to the console is something that Windows can’t compete AS00 gervers are.::comp~!!},!~U:/faek with, during debugging. I should note that Windows XP has the capability of writing debugging information to one of the serial ports, but this requires far more support for it. ~te~e{ a~pli~atibnS~, ~r6~lig;~ ~ ; ~nd The next thing I should have learnt, but haven’t is the value of backups. In fact, as a professional System " Administrator, I know the value of backups, and Way ~ :pr;:~egs~r : ~onfigh~a~;~g~ 6pfiOn~l generally ensure that I can restore just about second :.::cPU;. ~:/.~ Available .Base;:: everything, but for my home systems, I have some memo~ up~ad~a~ie: ~6 2GB:(A4OO)::.2.imemal major financial constraints. As I said at the start, this is the first disk failure I have suffered, and at the same time, I have a lot of storage available through (mai?:~:, -72 ~ GIGA :B:~E)i~,~:~.,.extemal : out the network. Disk sizes are growing rapidly, but ;apa~i~y Ul~r~sesi, Ultla2: :~S~SI;:-:: 100Base;T backup media is not. At home I have a QIC tape drive capable of backing up around 250-425MB ...... :... (uncompressed) per tape and a CD writer that again co~edfi6~S;~, tOgaS:e~T.; Suppo~ ~LAN; can take about 700MB. At the same time I have over baSed ~le Supp6~d 0~e g gygt~s H,, 250GB of disk storage available to me.
Assuming that I am only using 50% of the disk space I would need over 150 CDs to back it all up. Even moving past the number of CDs, an issue comes up Price¯ $3,300:00, ’ ...... Rec Retail $6500~00 with the software. While I can use dump/restore or some other related product for Linux, I have to find something that will work for Windows. Not an easy ask. And then after that we would get to the Macintosh-’s I still have around the place. Phone~02,9713:7999 Fax 02~97.05:2255. To be honest, I will probably look at a DVD writer, which would reduce the disks needed, but still only by a factor of 4 or 5, and still at a cost of around MY PHONE PTY LTD $100-$200 for media (not counting the cost of the writer). In fact I might consider a major shift in my ACN:.063.150.041 backup strategy and purchase a large slow disk, e.g. 15 >140GB and use it for full backups and then possibly doing incrementals to CDs or DVDs. RUSSELL LEA NSW 2046
Finally, I really do need to investigate more tools to handle such disaster situations. I certainly intend to look further into mkCDrec, as it looks very useful, and would fit the strategy I have, but I’m also interested in others.
AUUGN Vol.24 - No.2 7 - June 2003 by students or demonstrate their use in a school’s (or educational institution’s) administrative area.
Paper presentations should aim for 30 minutes with THE OPEN SOURCE EDUCATION CONFERENCE 10 minutes question time. Other formats, such as a Introducing the Conference workshop or led discussion, may be available. To submit a paper, e-mail: o David Lloyd
AUUGN Vol.24 ~ No.2 - 8 - June 2003 ~/~INI-CONFS AUUG Corporate
Expanding the main conference are our "pre- Members conferences", known as a collection of "mini-confs". as at 1st June 2003 These are informal sessions where conference attendees can meet prior to the main conference to ac3 talk on topics of common interests. Currently there ANSTO are 5 planned mini-confs: Debian, Linux Audio, ANU EducationaLinux, IPv6 and Python. Please see Apple Computer Australia Pry Ltd http://lca2004.1inux.org.au/miniconf.cgi for further Aust Centre for Remote Sensing details. Australian Bureau of Statistics Australian Taxation Office ~:~ARTNERS~ ]PROGRAMME Bradken British Aerospace Australia In an attempt to make attendance at all of Bureau of Meteorology Linux. Conf.Au’s events easier for conference Cape Grim B.A.P.S. delegates, we have introduced a Partners’ Programme Computing Services, Dept Premier & Cabinet to provide activities for partners and their families. Corinthian Industries (Holdings) Pty Ltd Currently we are conducting a survey for potential Cray Australia partner programme attendees to fill in to help the CSIRO Manufacturing Science and Technology conference in its organisation of this event. If you CSIRO Telecommunications & Industrial Physics believe your partner may make use of such a facility, Curtin University of Technology could you please have your partner fill in our survey Cybersource Pty Ltd at http://lca2004.1inux.org.au/partners.cgi Deakin University Department of Land & Water Conservation 1V~ ORE INFORMATION Energex Everything Linux & Linux Help The latest news about Linux.Conf.Au 2004 can be Fulcrum Consulting Group found at our website: http: //lca2004.1inux. org. au IBM Land and Property Information, NSW In addition, a low-volume, no-spam email list has LPINSW been made available so conference related Macquarie University announcements can be communicated. Please Multibase WebAustralis Pty Ltd subscribe to this service at National Australia Bank http: //lists. linux, org. au/listinfo /lca- announce NSW Public Works & Services, Information Services [11 These speakers in good faith have indicated that Peter Harding & Associates Pty Ltd they will speak at the conference. Some changes in Rinbina Pty Ltd the line-up of speakers may occur closer to the event St. Vincent’s Private Hospital due to unforseen circumstances. Sun Microsystems Australia Tellurian Pty Ltd The University of Western Australia Thiess Pty Ltd Uni of NSW - Computer Science & Engineering UNITAB Limited University of New England University of New South Wales University of Sydney University of Technology, Sydney Workcover Queensland
AUUGN Vol.24 ~ No.2 - 9 - June 2003 to connect their own CAPI to Windows, supposedly in Micr s f ens order to eliminate any risk that US intelligence Author: Eben Moglen services have embedded spy code in the company’s products. [Note: Eben Moglen is professor of law at Columbia University Law School. He serves without fee as General Counsel of the Free Unprecedented as the program to show source to Software Foundation. You can read more of his writing at foreign governments and permit limited modification http://moglen.law.columbia.edui] was, Microsoft took an even more extraordinary step in its recent filings with the US Securities and There’s plenty of uneasiness in Redmond, Exchange Commission. The SEC requires publicly- Washington, these days. Microsoft has begun to traded companies to file quarterly statements internalize the recognition that the next, and quite indicating any major changes in position since the probably final, period of its existence will be publication of their annual reports, and disclosing dominated by competition with free software. That any new or additional risks to their profitability. competition presents challenges the monopoly has Microsoft now states that "the popularization of the never faced before, and already it has become Open Source movement continues to pose a necessary, at what Microsoft hopes is still an early significant challenge to the Company’s business stage in the confrontation, to take steps that no other model, including recent efforts by proponents of the competitor has ever had the power to force. Open Source model to convince governments worldwide to mandate the use of Open Source Competing with free software is problematic for software in their purchase and deployment of Microsoft for many reasons. There’s no company to software products. To the extent the Open Source acquire, in the first place, in order to incorporate or model gains increasing market acceptance, sales of suppress attractive competing products - a strategy the Company’s products may decline, the Company that the monopoly has pursued so often and so may have to reduce the prices it charges for its successfully in the past. Because free software is products, and revenues and operating margins may continually modified and improved by all its users, consequently decline." there’s no ’evolutionary dead end’ argument with which to scare customers: someone choosing to use Naturally Microsoft has always found it desirable to free software is never going to be left with an emphasize in its SEC filings that it faces market unserviceable product whose maker has gone out of competition: its antitrust difficulties render it eager to business, leaving the code ’orphaned’ in the face of discuss the highly competitive nature of the software constantly shifting technology. Microsoft’s implicit market at every opportunity. But this decision to message to its customers has been ’We’re always acknowledge free software as a fundamental challenge going to exist; our competitors, whose products you to the Microsoft ’business model,’ along with the quite are considering, won’t last forever.’ But technically specific acknowledgement that prices of its products sophisticated corporate and governmental users now will have to be cut, represents a watershed moment in realize that the free software codebase will last the monopoly’s history. The global investment indefinitely, capable of renewal and replacement for community now has the best possible authority for as long as its users need it. No matter how long taking a second look at its unquestioned belief in Microsoft lasts, free software will last longer. Microsoft’s durability: the official statements of the company itself. As I have said in this space recently, one of the hottest fields of competition at the moment is also the These new statements, of course, like all other largest aggregate software market on earth: the Microsoft pronouncements on our movement, eschew world’s governments. More than sixty-five countries two words: ’free software.’ The company still cannot and dozens or hundreds of political subdivisions are acknowledge the fundamental challenge to its way of actively considering legislation or regulations favoring doing business, which is users’ need for freedom: the the use of free software for government computing. freedom to understand, fix, improve, and share the National governments have begun actively considering software that they depend on. Microsoft likes to refer use of free software for all the reasons (price, to ’open source,’ which sounds like something flexibility, power of modification - in other words, Microsoft could do itself. Its so-called ’shared source’ freedom) that other corporate and individual users initiatives, including the most recent one for foreign also identify. But they have at least one additional governments, are designed to mislead in precisely this reason for adopting free software: they suspect that way. But what Microsoft cannot do, what it will die Microsoft has done favors for the US intelligence trying to prevent us from doing, is to make software community, embedding ’back doors’ in Windows that free. ’Freedom’ is the word the monopolist cannot use, permit US listeners to monitor encrypted which is why, at the beginning of the end of the communications generated using the Windows Microsoft Era, Free Software Matters. Cryptographic Applications Program Interface (CAPI). Last month, in an unprecedented move, Microsoft © Eben Moglen, 2003. announced that it will release Windows source code Verbatim copying of this article is permitted in any for review by foreign governments, to help them medium, provided this notice is prese~red. evaluate whether Windows is a good public purchase. In addition, Microsoft will allow foreign governments
AUUGN Vol.24 o No.2 - 10 - June 2003 Oper BSD 3.3 Released then quickly revoke privilege. The X window server and xconsole now use Author: Todd C. ~iller < Todd. Mifler@co~rtesam co~ > privilege separation, for better security. Also, OpenBSD 3.3 has been released and is now available xterm has been modified to do privilege revocation. from select ftp mirrors. We believe this is our best xdm runs as a special user and group, to further release ever with cool new features including constrain what might go wrong. ProPolice stack protection in the compiler RSA blinding is now on by default in OpenSSL. (http ://www. trl. ibm. com/proj ects/security/ssp/), Many occurrences of strcpy0, strcat0 and sprintf0 queue support for pf (traffic shaping), an hppa (pa- have been changed to strlcpy0, strlcat0, and risc) port, W^X for some platforms (sparc, sparc64, snprintf0 or asprintf0. alpha and hppa), privilege separation in the X server and xconsole, fewer setuid binaries, a new spam A process will now have the P_SUGIDEXEC flag set deferral daemon and much, much more. f any of the real, effective, or saved uid/gid are mismatched. Previously only the real and effective Full release announcement follows: uid/gid were checked.
OPENBS]) 3.3 RELEASED ptrace(2) is now disabled for processes with the P_SUGIDEXEC flag set.
May 1, 2003. Improved hardware support (http : //www. 0penBSD. org/plat, html) We are pleased to announce the official release of OpenBSD 3.3. This is our 13th release on CD-ROM ¯ The xl(4), sis(4) and vr(4) ethernet drivers are more (and 14th via FTP). We remain proud of OpenBSD’s robust. record of seven years with only a single remote hole in the default install. As in our previous releases, 3.3 The ahc(4) and bktr(4) drivers now work on provides significant improvements, including new macppc. features, in nearly all areas of the system: o Vlan tagging now works properly in the ti(4) driver. Ever-improving security http : //www. OpenBSD. org/security, html The cac(4) driver is now more stable. Integration of the ProPolice stack protection technology, by Hiroaki Etoh, into the system Media handling has been improved in the hme(4) compiler. This protection is enabled by default. driver. With this change, function prologues are modified to rearrange the stack: a random canary is placed Bugs have been fixed in the gem(4) driver to make before the return address, and buffer variables are it more stable on the sparc64 platform. moved closer to the canary so that regular variables are below, and harder to smash. The Several fixes for the ami(4) driver. function epilogue then checks ff the canary is still intact. If it is not, the process is terminated. This New LZS compression support for the hfn(4) change makes it very hard for an attacker to driver. modify the return address used when returning from a function. Support for new IDE controllers from Promise, VIA, NVIDIA and ServerWorks. W^X (pronounced: "W xor X") on architectures capable of pure execute-bit support in the MMU o siop(4) driver improvements. (sparc, sparc64, alpha, hppa). This is a fine- graine~l memory permissions layout, ensuring that The sparc64 platform is now supported on several memory which can be written to by application more models and is much more stable. programs can not be executable at the same time and vice versa. This raises the bar on potential Major improvements in the pf packet filter, including: buffer overflows and other attacks: as a result, an attacker is unable to write code anywhere in pf now supports altq-style queueing via the new memory where it can be executed. (NOTE: i386 "queue" directive. Packets are assigned to queues and powerpc do not support W^X in 3.3; however, based on filter rules. This allows for very flexible 3.3-current already supports it on i386, and both queue settings, including quality of service these processors are expected to support this bandwidth shaping. change in 3.4.) New support for "anchors," which allows the use of Further reduction of the number of setuid and sub-rulesets which can be loaded and modified setgid binaries and more use of chroot(2) independently. throughout the system. While some programs are still setuid or setgid, most allocate a resource and A new "table" facility provides a mechanism for
AUUGN Vol.24 ~ No.2 - 11 - June 2003 increasing the performance and flexibility of rules o Sendmail 8.12.9. with large numbers of source or destination addresses. Apache 1.3.27 and mod_ssl 2.8.12, DSO support (+ patches). Address pools, redirect/NAT to multiple addresses and thus load balancing. OpenSSL 0.9.7beta3 (+ patches).
The scrub option ’no-dr has been changed to o Stable version of KAME IPv6. better handle fragments with DF set, such as those sent by Linux NFS. OpenSSH 3.6 (now 100% compliant with the secsh drafts). There is a new ’random-id’ option for the scrub rules. This randomizes outbound IP IDs and helps Bind 9.2.2 (+ patches). defeat NAT detection. o Perl 5.8.0 TCP state inspection is now RFC 763 compliant; we now send a reset when presented with SYN- o Sudo 1.6.7. cookie schemes that send out-of-window ACKs during the TCP handshake. Latest ISC cron (+ patches and atrun integration).
o TCP window scaling support. Improved vlan(4) robustness.
Full support for CIDR addresses. FreeBSD emulation now recognizes newer FreeBSD ELF binaries. Early checksum verification return on invalid Significant improvements to the pthread library. packets. Many, many man page improvements. The configuration language has been made much more flexible. If you’d like to see a list of what has changed between OpenBSD 3.2 and 3.3, look at o Large rulesets now load much more quickly. http://www. OpenBSD.org/plus33.html New subsystems included with 3.3 Even though the list is a summary of the most spamd, a spam deferral daemon, can be used to important changes made to OpenBSD, it still is a very tie up resources on a spammer’s machine, spamd very long list. uses the new pf(4) table facility to redirect connections from a blacklist such as SPEWS or SECURITY AND ERRATA DIPS. We provide patches for known security threats and OpenBSD 3.3 includes the hppa port for HP PA- other important issues discovered after each CD RISC machines. This should be considered a work release. As usual, between the creation of the in progress; users are advised to install the most OpenBSD 3.3 FTP/CD-ROM binaries and the actual recent snapshot instead of the formal 3.3 hppa 3.3 release date, our team found and fixed some new release. reliability problems (note: most are minor, and in Many other bugs fixed subsystems that are not enabled by default). Our (http : //www. OpenBSD. org/plus33 . html) continued research into security means we will find new security problems -- and we always provide The "ports" tree is greatly improved patches as soon as possible. Therefore, we advise (http ://www. OpenBSD. org/ports, htral) regular visits to http : //www. OpenBSD. org/security, html The 3.3 CD-ROMs ship with many pre-built and packages for the common architectures. The FTP http: //www. OpenBSD. org/errata, html site contains hundreds more packages (for the important architectures) which we could not fit Security patch announcements are sent to the onto the CD-ROMs (or which had prohibitive security-announce@0penBSD, org marling list. For licenses). information on OpenBSD mailing lists, please see:
Many subsystems improved and updated since the last release: http://www. OpenBSD.org/mail.html o Free86 4.2.1 (+ patches). CD-ROM SALES o gcc 2.95.3 (+ patches and ProPolice). OpenBSD 3.3 is also available on CD-ROM. The 3- CD set costs $40USD (EUR 45) and is available via
AUUGN V01.24 o No.2 -12- June 2003 mail order and from a number of contacts around the OpenBSD can be easily installed via FTP. Typically world. The set includes a colorful booklet which you need a single small piece of boot media (e.g., a carefully explains the installation of OpenBSD. A new boot floppy) and then the rest of the files can be set of cute little stickers are also included (sorry, but installed from a number of locations, including our FTP mirror sites do not support STP, the Sticker directly off the Internet. Follow this simple set of Transfer Protocol). As an added bonus, the second instructions to ensure that you find all of the CD contains an exclusive audio track, "Puff the documentation you will need while performing an Barbarian." Lyrics for the song may be found at: install via FTP. With the CD-ROMs, the necessary documentation is easier to find. http://www. OpenBSD.org/lyrics.html#33 1) Read either of the following two files for a list of ftp Profits from CD sales are the primary income source mirrors which provide OpenBSD, then choose one for the OpenBSD project -- in essence selling these near you: CD-ROM units ensures that OpenBSD will continue to make another release six months from now. http: //www. OpenBSD. org/ftp, html ftp: / /ftp. OpenBSD. org/pub / Op enBSD / 3.3 / ftplist The OpenBSD 3.3 CD-ROMs are bootable on the following four platforms: As of May 1, 2003, the following ftp sites have the o i386 3.3 release: o macppc o sparc ftp: / / ftp. ca. openbsd, org/pub / OpenBSD / 3.3 / o sparc64 (UltraSPARC) Alberta, Canada ftp://ftp.usa.openbsd.org/pub/OpenBSD/3.3/ (Other platforms must boot from floppy, network, or Boulder, CO, USA other method). ftp: //ftp7. usa. openbsd, org/pub / os / OpenBSD / 3.3 / West Lafayette, IN, USA For more information on ordering CD-ROMs, see: ftp://openbsd.wiretapped.net/pub/OpenBSD / 3.3 / Sydney, Australia http : //www. OpenBSD. org/orders, html ftp://ftp.kd85.com/pub/OpenBSD/3.3/ Ghent, Belgium The above web page lists a number of places where ftp: //ftp. calyx, nl/pub / OpenBSD/3.3/ OpenBSD CD-ROMs can be purchased from. For our Amsterdam, Netherlands default mail order, go directly to: ftp: //ftp. se. openbsd, org/pub/OpenBSD / 3.3 / https ://https. OpenBSD. org/cgi-bin/order Stockholm, Sweden ftp: //ftp.linux. org.tr/pub / OpenBSD / 3.3 / Turkey or, for European orders:
https ://https. OpenBSD. org/cgi-bin/order, eu Other mirrors will take a day or two to update.
All of our developers strongly urge you to buy a CD- 2) Connect to that ftp mirror site and go into the ROM and support our future efforts. Additionally, directory pub/OpenBSD/3.3/ which contains donations to the project are highly appreciated, as these fries and directories. This is a list of what described in more detail at: you will see:
http://www. OpenBSD.org/goals.html#funding ANNOUNCEMENT ftplist ports.tar.gz Changelogs/ hp300/ root.mail HARDWARE hppa/ sparc/ T-SHIRT SALES PACKAGES i386/ sparc64/ PORTS mac68k/ src.tar.gz README macppc/ srcsys.tar.gz The project continues to expand its funding base by XF4.tar.gz mvme68k/ tools/ selling t-shirts and polo shirts. And our users like alpha/ packages/ vax/ them too. We have a variety of shirts available, with the new and old designs, from our web ordering 3) It is quite likely that you will want at LEAST the system at: following files which apply to all the architectures OpenBSD supports. https ://https. OpenBSD. org/cgi-bin/order README generic README and for Europe: HARDWARE list of hardware we support https ://https. OpenBSD. org/cgi-bin/order, eu PORTS description of our "ports" tree PACKAGES description of pre-compiled packages The OpenBSD S.S and OpenSSH t-shirts are available root.mail a copy of root’s mail at initial login. now! (This is really worthwhile reading).
4) Read the README file. It is short, and a quick FTP INSTALLS read will make sure you understand what else you need to fetch. If you choose not to buy an OpenBSD CD-ROM,
AUUGN Voh24 ~ No.2 - 13 - June 2003 5) Next, go into the directory that applies to your architecture, for example, i386. This is a list of Note: some of the most popular ports, e.g., the what you will see: Apache web server and several X applications, come standard with OpenBSD. Also, many popular ports CKSUM base33.tgz game33.tgz have been pre-compiled for those who do not desire to INSTALL.ata bsd index.txt INSTALL.chs bsd.rd man33.tgz build their own binaries (see PACKAGES, below). INSTALL.dbr cd33.iso misc33.tgz INSTALL.i386 cdrom33.fs xbase33.tgz BINARY PACKAGES WE PROVIDE INSTALL.Iinux comp33.tgz xfont33.tgz INSTALL.mbr etc33.tgz xserv33.tgz INSTALL.os2br floppy33.fs xshare33.tgz A large number of binary packages are provided. INSTALL.pt floppyB33.fs Please see the PACKAGES file MD5 floppyC33.fs ftp : //ftp. OpenBSD. org/pub/OpenBSD/PACEAGES If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386 and the appropriate floppy*.fs or for more details. cd33.iso file. Consult the INSTALL.i386 file if you don’t know which of the floppy images you need SYSTEM SOURCE CODE (or simply fetch all of them). The CD-ROMs contain source code for all the 6) If you are an expert, follow the instructions in the subsystems explained above, and the README file called README; otherwise, use the more complete instructions in the file called f tp : / / ftp. OpenBSD. org/pub/OpenBSD/README INSTALL.i386. INSTALL.i386 may tell you that you need to fetch other files. file explains how to deal with these source files. For those who are doing an FTP install, the source code 7) Just in case, take a peek at: for all four subsystems can be found in the pub/OpenBSD/3.3 / directory: http : //www. OpenBSD. org/errata, html XF4.tar.gz src.tar.gz This is the page where we talk about the mistakes ports.tar.gz srcsys.tar.gz we made while creating the 3.3 release, or the significant bugs we fixed post-release which we THANKS think our users should have fixes for. Patches and workarounds are clearly described there. OpenBSD 3.3 includes artwork and CD artistic layout by Ty Semaka, who also wrote the lyrics and arranged Note: If you end up needing to write a raw floppy an audio track on the OpenBSD 3.3 CD set. Ports using Windows, you can use "fdimage.exe" located in tree and package building by Christian Weisgerber, - the pub/OpenBSD/3.3/tools directory to do so. David Lebel and Peter Valchev. System builds by Theo de Raadt, Henning Brauer, Todd Fries and Miod XF~Er86 FOR MOST ARCHITECTURES Vallat. ISO-9660 filesystem layout by Theo de Raadt. We would like to thank all of the people who sent in XFree86 has been integrated more closely into the bug reports, bug fixes, donation cheques, and system. This release contains XFree86 4.2.1. Most of hardware that we use. We would also like to thank our architectures ship with XFree86, including sparc, those who pre-ordered the 3.3 CD-ROM or bought our sparc64 and macppc. During installation, you can previous CD-ROMs. Those who did not support us install XFree86 quite easily. Be sure to try out xdm(1) financially have still helped us with our goal of and see how we have customized it for OpenBSD. improving the quality of the software. On the i386 platform a few older X servers are Our developers are: included from Xfree86 3.3.6. These can be used for cards that are not supported by Xfree86 4.2.1 or Aaron Campbell, Alexander Yurchenko, Angelos D. where XFree86 4.2.1 support is buggy. Please read Keromytis, Anti Madhavapeddy, Alrtur Grabowski, the /usr/XllR6/README file for post-installation Ben Lindstrom, Bjorn Sandell, Bob Beck, Brad information. Smith, Brandon Creighton, Brian Caswell, Brian Somers, Bruno Rohee, Camiel Dobbelaar, Cedric PORTS TREE Berger, Chad Loder, Chris Cappuccio, Christian Weisgerber, Constantine Sapuntzakis, Dale Rahn, The OpenBSD ports tree contains automated Damien Couderc, Damien Miller, Dan Harnett, instructions for building third party software. The Daniel Hartmeier, David B Terrell, David Krause, software has been verified to build and run on the David Lebel, David Leonard, Dug Song, Eric various OpenBSD architectures. The 3.3 ports Jackson, Federico G. Schwindt, Grigoriy Orlov, collection, including many of the distribution files, is Hakan Olsson, Hans Insulander, Heikki Korpela, included on the 3-CD set. Please see the PORTS file Henning Brauer, Henric Jungheim, Hiroaki Etoh, for more information. Horacio Menezo Ganau, Hugh Graham, Ian
AUUGN Vol.24 ~ No.2 - 14 - June 2003 Darwin, Jakob Schlyter, Jan-Uwe Finck, Jason Ish, Jason McIntyre, Jason Peel, Jason Wright, The Linux System Jean-Baptiste Marchand, Jean-Jacques Bernard- Gundol, Jim Rees, Joshua Stein, Jun-ichiro itojun Administrator’s Hagino, Kenjiro Cho, Kenneth R Westerback, Kevin Lo, Kevin Steves, Kjell Wooding, Louis Bertrand, Marc Espie, Marc Matteo, Marco S Security Guide Hyman, Marcus Watts, Margarida Sequeira, Mark Author: Kurt Seifried
The principal objective of computer security is to protect and assure the confidentiality, integrity, and availability of automated information systems and the data they contain. silicon (http: //csrc.nist.Nov/publications/secpubs / cslaw.txt)
There are numerous definitions for "computer security", and most of them are correct. Essentially computer security means enforcement of usage policies, this must be done since people and software have flaws that can result in accidents, but also because someone may want to steal your information, use your resources inappropriately or simply deny you the use of your resources. Security Policy A security policy is an expression of your organizations security goals. Security goals will vary greatly by organization, for example a software vendor is typically more concerned about the confidentiality and integrity of their source code anything else, while a pornographic website is probably more concerned about processing credit cards online. There is an immense amount of security technology available, from software and hardware to specific techniques and implementations. You cannot properly implement the technology without a solid idea of what your goals are. Do home users connecting to the office need to use VPN software? If your security policy states that all file and print transfers must either be encrypted or sent across a "trusted" network then the answer is [email protected] probably yes. What authentication methods are acceptable for services that can be reached from the Internet? Do you require strong passwords, tokens, biometric authentication, or some combination? The data you collect from remote sites, is it more important that this data is collected, or is it more important that this data remain secret? Data that is remote weather telemetry is probably not as sensitive as credit card numbers.
AUUGN Vol.24 ~ No.2 - 15 - June 2003 users. These are a good compliment to a security Some security policies will need to be exceptionally policy as they set out in concrete terms what a user is broad and general, for example the security policy for or is not allowed to do, and as they are often part of a JANET, the academic backbone network for England contract it allows a provider to enforce their security states: policy when a user attempts to violate it or has violated it. Acceptable Use Policy Privacy policies are interesting in that they are supposed to prevent an organization 9typically a company) from violating some aspects of a user’s security (specifically the confidentiality of their information). Unfortunately the majority of privacy policies contain clauses like "this policy may change at any timewithout warning" or are simply discarded when a company decides to profit off of a user’s information (such as name, address, credit card details, purchase history, etc.). Security is a Process You only need to make one mistake or leave one flaw available for an attacker to get in. This of course means that most sites will eventually be broken into. Witness the effects of Code Red, an Nimda, both of which were hugely successful exploiting well known and long solved vulnerabflities in the Microsoft IIS server. Regularity apply patches (after testing them). Regularly scan your network for open ports. Regularly scan your servers with intrusion testing software such as Nessus. Audit file permissions and make sure there are no unexpected setuid or setgid binaries. Defense in depth All technical security measures will eventually fail or be vulnerable to an attacker. This is why you must On the other hand a security policy can be fine have multiple layers of protection. Firewalls are not grained: enough, you may accidentally forget a rule or leave yourself exposed while reinitializing a ruleset, use tcp_wrappers to restrict access to services as well where possible. Restrict which users can access these services, especially if only a few users need access. Encrypt traffic where possible so that attackers cannot easily snoop usernames and passwords or hijack sessions. Since security measures will fail you Generally speaking the more detailed and technology oriented a also need a strong audit and logging process so that security policy is the harder it will be to follow and keep up to you can later find out what went wrong and how bad date. The actually technical details of implementing a security it is. policy should be separated from it. Keeping a separate set of best Technical Problems practices or an actually "implementation of security policy" These are just a handful of thousands of specific document is a better idea then rolling it all into the security technical problems facing security administrators. policy. Network Connectivity Acceptable Use Policy One of the biggest security challenges is the increase Another component of computer security is an AUP in network connectivity. If you have a machine that is (Acceptable Use Policy). This is a document that sates not connected to any other machines an attacker will what a user of your resources may or may not do with generally need to gain physical access. This of course them. Typically it is part of a contract and is signed at greatly narrows down the number of attackers. the time when the services are purchased. Many However with everything connected to the Internet there are over 100 million people that can potentially acceptable use policies generally forbid actions that get into your machine. are illegal, potentially annoying to other people (and hence likely to cause problems for the provider in the Insecure defaults form of complaints) or are controversial (such as This is one of the problems that has caused no end of pornography). Other standard clauses include "this security problems since day one. Vendors typically notice may change at any time without warning" and ship their operating systems with insecure defaults "we can terminate your service (or fire you) at any (i. e. finger, telnet, ftp, etc.) meaning that time without warning if you violate this policy. administrators must expend a lot of effort to close Generally speaking the majority of AUP’s are security problems before they can even start to pro- reasonable and will not be a problem for normal actively secure their systems and networks.
AUUGN Vol.24 ~ No.2 - 16 - June 2003 Legitimate access vs.s a break in Installing physical monitoring devices such as Because you must grant legitimate users access to KeyGhost resources there is always the potential for attackers Stealing the system’s disk(s) to gain access. Attacker can guess authentication Unplug the server, or turn the power bar off (a credentials (i.e. weak passwords), steal them very effective DOS), if done several times this (password sniffing), exploit flaws in the server itself can lead to filesystem corruption. and so on. Minimizing access and privilege These are just a few of many possible attacks. The When possible restrict access. If you do not need to primary goal is to stop them where possible, and run fingerd turn it off and remove it. An attacker failing that slow them down so that hopefully cannot exploit fingerd ff it isn’t present. Keep users off someone will notice the attacker tearing apart a of servers if possible, if they need shell accounts for system in someone’s office. The installation of some reason setup a separate system and partition it monitoring devices is becoming especially worrisome, off from the rest of your network. Lock down as they are now available for purchase online for less workstations where possible, set BIOS passwords, then $100. An attacker can easily log all keystrokes secure the boot sequence, do not give them for a long time period before the attacker comes back administrative access. to retrieve them. Periodic physical inspections (in teams of two) of user machines for items like (This section was sponsored by Vigilante KeyGhost, modems are so on are a good idea. http://www.viigilante.com) Gaining access to office buildings is often trivial. ]PHYSICAL AND CONSOLE SECURITY While working for the government there was no access control to the building itself from 8 A.M. until While the majority of random and remote attacks 5 P.M. (after 5 P.M. a security guard forced you to sign in). Worse yet the building had a back entrance come in over the network physical and console that was not monitored. If you were to enter at 4:30 security are important factors. In a perfect world every machine would be physically secure with access P.M., hide in a bathroom for an hour or two (crouched to the console (i.e. keyboard, reset switch and on top of a toilet reading the latest Linux Journal) you monitor) tightly controlled. Unfortunately this is not a could easily spend several hours fiddling with desktop systems and leave at your convenience without being perfect world it is rare to find a physically secure seen by anyone. Cleaning staff also never questioned machine outside of a server room. me when I stayed late (and conversely I never Physical security questioned them), you should train staff to approach Remember that an attacker may not want to break into your desktop machine or network, they may be people they do not recognize and ask them politely if looking for a quick way to make $200, and stealing a they need assistance or are lost. While access to buildings cannot often be controlled effectively (to desktop computer is one way to do that. All systems many entrances / different tenants / etc.) you can should be securely fastened to something with a cable control access to your floor, a locked door with a system, or locked in an equipment cage if possible. CCTV monitoring it after hours is often a good Case locks should be used when possible to slow deterrent. attackers down (thefts of ram and CPU’s are becoming increasingly popular). Some systems, like "Practical Unix and Internet Security" from O’Reilly Apple G4’s, when cable locked cannot be opened, if covers physical problems as well and is definitely you need machines for public areas features like this are ideal. For secure rooms make sure that the walls worth buying. go beyond the false ceiling, and below the raised floor, Console security large vents should also be covered with bars ff With physical access to most machines you can possible. Monitoring the room with CCTV and possibly requiring a remote person to "buzz" you in (in simply reboot the system and ask it nicely to launch addition to a lock, keypad or other access control into single user mode, or tell it to use/bin/sh for init. device) is recommended. You can enter the BIOS and tell the machine to boot from a floppy, doing a quick end run around most With enough time and physical access an attacker security. Alternatively you can simply enter the bios, will be able to gain access to the system, several disable the IDE controllers, put a password on the methods of attack include: BIOS, rendering the machine largely unusable. BIOS / Open Firmware security Rebooting the system from other media such Assuming the attacker does not steal the entire as floppy disk, CD-ROM, external SCSI drives machine the first thing that they will usually try is to reboot the system and either boot from a floppy disk and so on (or other removable media). If they can do this then Removing the case, and removing the BIOS any standard file protection is useless, the attacker battery to get around any BIOS restrictions declares themselves to be root, mounts the filesystem Using a default BIOS password to gain access and gains complete access to it. to the BIOS Rebooting the system and passing boot To secure a x86 BIOS you typically enter it by hitting arguments to LILO "delete" or a function key during the boot process, the
AUUGN Vol.24 ~ No.2 17 - June 2003 actual name and location of the BIOS password varies from the default of none to command at the very significantly, look for "security" or "maintenance". least, and full if you are security conscious (warning, There are usually different levels of password you will need the password to boot the machine). protections, on some motherboards you can disable the keyboard until a password is typed in (the BIOS intercepts and blocks input until it sees the password ok password i ....~ entered on the keyboard), on others it only prevents ok New password (only fif~ ~8 ChagS are used) :***** accessing the BIOS. Generally speaking you want to ok Retype new password: ***~* ¯ ..... ~ i block access to the BIOS, and lock the boot sequence ok ~ . ~ ~ Ok ~seten9 security-mode full i ~:i~i ~ to the first internal storage device (i.e. the first IDE disk or SCSI).
Even f you do everything right there are still some You can also set "security-mode" to "command" which ways for an attacker to subvert the boot process. will require the password to access the open firmware Many older BIOS’s have universal passwords, but is less strict then "full". Do not lose this generally speaking this practice has declined with password, especially f you set the security-mode to modern systems, but you may wish to inquire with full, as you may need to replace the PROM to recover the vendor. Another potential problem to be aware of the system. You can wipe the password by setting is that many add-on IDE and SCSI controller cards "security-mode" to "none". have their own BIOS, from which you can check the status of attached devices, choose a boot device, and Unfortunately f you are using Apple hardware you in some cases format attached media. Many high-end cannot secure the boot process in any meaningful network cards also allow you to control the boot manner. While booting f the user holds down the sequence, letting you boot from the network instead command-option-P-R keys it will wipe any settings of a local disk. This is why physical security is critical that exist, there is no way to avoid this. About the for servers. Other techniques include disabling the only security related option you can set is whether floppy drive so that attackers or insiders cannot copy the machine automatically reboots or not, this is information to floppy and take it outside. You may useful for servers to prevent a remote attacker from also wish to disable the serial ports in users changing the kernel for example (which require a machines so that they cannot attach modems, most system reboot). Hold down the command-option-O-F modern computers use PS/2 keyboard and mice, so keys to access the OpenFirmware and from there you there is very little reason for a serial port in any case need to: (plus they eat up IRQ’s). Same goes for the parallel port, allowing users to print in a fashion that bypasses your network, or giving them the chance to attach an external CD-ROM burner or harddrive can decrease security greatly. As you can see this is an extension of the policy of least privilege and can LILO Security decrease risks considerably, as well as making LILO is the Linux boot loader, it handles all the nitty network maintenance easier (less IRQ conflicts, etc.). gritty tasks of getting the kernel into memory and There are of course programs to get the BIOS bootstrapping them machine into something that password from a computer, one is available resembles a useful computing device. LILO handles http://www.c~, it is available for DOS many things, from telling the kernel to look for and Linux. multiple network cards to how much memory there is (assuming Linux won’t detect how much your system If you decide to secure the BIOS’s on systems you has). There are several options you can pass to LILO should audit them once in a while f possible, simply to bypass most any account security or console reboot the machine and try to boot off of a floppy disk security. or get into the BIOS. If you can then you know someone has changed settings on the system, and Booting Linux into single user mode with (assuming while there may be a simple explanation (a careless the label is "linux")’ technician for example) it may also be your first warning that an attack has occurred. There are boot: linux single several programs for Linux that allow an attacker with root access to gain the BIOS password, while this is a rather moot point it does bear mentioning (if This will dump you into a root level command prompt an attacker has gained root access they can already on many systems. From there you can simply add a do pretty much anything). new users with UID 0, format the disks or copy Trojan’ed binaries off a floppy disk. One way many To secure a Sparc or UltraSparc boot prom send a vendors deal with this is by using sulogin, single user break during boot-up, hit stop-a, and you should be login, which prompts for root’s password before presented with the ok> prompt. Setting your letting you on. This will prevent people from accessing password is a simple matter of using the password single user mode and getting directly to a root prompt command and typing the password in twice. You will however there is a another attack. You can specify then want to set the security-mode, using "setenv" which program will be used to init the system, instead
AUUGN Vol.24 ~ No.2 18 - June 2003 image~:/boot/vmlinuz.2.2.17 of the default init you can use a command shell: label=linux-old root=idev/!h~al ...... boot: linux single init=/bin/sh p~ssword=thisisapasswor4 . . restricted ¯
Which will present you with a root prompt. The best way to defeat this and the single mode problem are to The above example will prevent attackers from secure LILO and prevent the passing of boot messing with the "linux" and "linux-old" image, arguments without a password. Many people argue however if they need to boot the old kernel (because a that this somehow inhibits normal use of the system, driver is broken, or SMP support doesn’t work quite however there should be no need normally for the right) then they will not need the password to do so. user booting the system to pass LILO arguments (f an argument is needed at boot time it should be put Depending on the level of security you want you can into lilo.conf permanently). Generally speaking the either restrict and password protect all of LILO, or only time you will need to pass LILO arguments is just the individual images. In any event if you are when something on the system breaks, at which point deploying workstations or servers you should use one it’s probably wise to send out a technician who knows to prevent users from breaking into systems in less the password to fix the system. than 10 seconds. While things like sulogin will prevent a user from getting a root prompt if they enter To secure LILO you must set a password, and use the single user mode the attacker can always use restricted keyword. You can also set security on a per "init=/bin/sh". image basis, or on LILO as a whole. If you set security on a per image basis you will be able to tell LILO One minor security measure you can take to secure which image you wish to boot without needing a the lilo.conf file is to set it immutable, using the password, but you will not be able to pass the kernel "chattr" command. To set the file immutable simply arguments such as "single". If you set security on run the following command as root: LILO as a whole then you will only be able to boot to the default image, specifying a different image will require the password.
And this will prevent any changes (accidental or boot=ide~/hda ~ map=/boot/map ...... " ! ¯ ~ otherwise) to the lilo.conf file. If you wish to modify in~ili=/boot/boot, b : " the lilo.conf file you will need to unset the immutable flag run the following command as root:
only the root user has access to the immutable flag. Grub security Grub is the default boot loader in Debian, Mandrake and possibly Red Hat 7.2. More on this to come.
[Ed’s Note: Debian Woody (current release) uses Lilo. Mandrake > 8 uses Grub. RedHat > 8 gives you a choice but will default to Grub. Mandrake and Redhat give you an opportunity to enter a Grub password in their installers.] This can be cumbersome, however it does prevent Rebooting the system attackers from booting a different image. If possible you should make rebooting the system more difficult, by default a!most all Linux boot:/deZ/!hda distributions have ctrl-alt-del enabled so that it map:/boot/map install=/boot/boot.b reboots the machines. However, unlike Windows, this prompt, is not necessary. In Linux you can easily control the timeout=50 behavior of ctrl-alt-del, simply by editing the meSlsage=/boot/message /etc/inittab file: linear ’ " default=linux ...... image=/boot/Vm~!i.n~z=2.2.18 ca::ctrlaltdel:/sbin/shutdown -t3 -r now label~ii!~ read’only root=/deg/hdal password~thisisapassword You may wish to disable it entirely (simply comment it restricted out with a #) or modify the command issued. Minimally you can create a bash script such as:
AUUGN Vol.24 ~ No.2 19 - June 2003 To: arch@freebsd.org #!/bin/bash Subject: 5-STABLE Roadmap # # This script emails a message to root and then shuts # down the system after a 5 second delay # Thanks to the hard work of everyone, FreeBSD 5.0 /bin/date I ibin/mail-s "ctr~-alt-del used" root became a reality and is working better than most even /bin/sleep 5s /sbin!shutdown -t3 -r now hoped. However, there is still a lot of work to be done before we can create the RELENG_5/5-STABLE Now every time someone hits ctrl-alt-del you will have branch and declare success. Below is a document an email message in root’s account logging it. You can that I have drafted with the input and review of the also send that email to another system (i.e. to Release Engineering Team, the Technical Review [email protected]). If you do this you may wish to Board, and the Core Team that defines what needs to introduce a small delay between the mail command be done in order to reach 5-STABLE. I’m happy to and the shutdown command to ensure the email gets take further input into this, and I will also mark it up out before the mail system is turned off. Of course an and make it available online. attacker can always hit the reset switch, power button, unplug the system, or trip the breakers for an 1 ¯ INTRODUCTION AND BACKGROUND entire floor of computers. If the system is in a locked After nearly three years of work, FreeBSD 5.0 was cabinet however this is quite a bit more conspicuous released in January of 2003. Features like the GEOM then simply using a three finger salute (ctrl-alt-del) to block layer, Mandatory Access Controls, ACPI, reboot the system. sparc64 and ia64 platform support, and UFS Summary snapshots, background filesystem checks, and 64-bit An attacker with physical access to the console, or inode sizes make it an exciting operating system for worse yet the hardware itself has many potential both desktop and production users. However, some avenues of attack they can pursue. Worse yet f their important features are not complete. The foundations goal is to simply deny use of service, or damage the for fine-grained locking and preemption in the kernel software and hardware doing so is trivial. Flipping the exist, but much more work is left to be done. Work power off and on during the boot process will often on Kernel Schedulable Entities, also known as result in drive corruption, or they can simply pour a Scheduler Activations, has been ongoing but needs a glass of water into the power supply. Locking servers push to realize its benefit. Performance compared to up in secure rooms is critical, a competitor can easily FreeBSD 4.x has declined and must be restored and afford to pay a janitor several thousand dollars to surpassed. turn a server off, and pour pop into the power supply, resulting in a dead server when staff turns it back on. This is somewhat similar to the situation that Workstations are typically more vulnerable as they FreeBSD faced in the 3.x series. Work on 3-CURRENT are in accessible areas, but hopefully they are trudged along seemingly forever, and finally a cry was interchangeable with another workstation, with all made to ’just ship it’ and clean up later. This decision data being stored on servers. resulted in the 3.0 and 3.1 releases being very unsatisfying for most, and it wasn’t until 3.2 that the To be continued... series was considered ’stable’. To make matters worse, the RELENG_3 branch was created along with This article is re-printed with permission. The originals the 3.0 release, and the HEAD branch was allowed to can be found at: advance immediately towards 4-CURRENT. This resulted in a quick divergence between HEAD and RELENG_3, making maintenance of the RELENG_3 The Roadmap for branch very difficult. FreeBSD 2.2.8 was left for quite a while as the last production-quality version of FreeBSD 5oStable FreeBSD. Author: Scott Ling
AUUGN Vol.24 ~ No.2 - 20 - June 2003 latency. Work is ongoing to implement lazy context 2o I~[AJOR ISSUES switching on all platforms. Fine grained locking of drivers will also help this, as will converting drivers to The state of SMPng and kernel lockdown is the be as efficient as possible in their interrupt routines. biggest concern for 5.x. To date, few major systems have come out from under the kernel-wide mutex Next, the state of KSE must resolved for RELENG_5. known as ’Giant’. The SMP status page at Work on it has slowed noticeably in the past 6 http : //www. FreeBSD. org/stop provides a months but appears to be picking up again. There are comprehensive breakdown of the overall SMPng a number of issues that must be addressed: status. Status specific to SMPng progress in deivce Signal delivery to threads is not defined. Signals drivers can be found at at are delivered to the process, but which thread http : //www. FreeBSD. org/proj ects/busdma. actually receives it is random. o There is confusion over whether upcalls are In summary: generated on every system call or when a thread blocks. The former is highly undesirable and needs VM - the kmem_malloc(M_NOWAIT) path no longer to be investigated. needs Giant held. The kmem_malloc(M_WAITOK) o The userland threading library, currently called path is in progress and is expected to be finished libkse, is incomplete and has not been used for in the coming weeks. Other facets of the VM any significant threaded application. system, like the vfs interface, buffer/cache, etc, o KSE has the potential to uncover latent race are largely untouched. conditions and create new ones. An audit needs to GEOM - The GEOM block layer was designed to be performed to ensure that no obvious problems run free of Giant, but at this time no block drivers exist. can run without Giant. Additionally, it has the potential to suffer performance loss due to its According to the release schedule below, KSE kernel upcall/downcall data paths happening in kernel and userland components must be functionality threads. Lightweight context switches might help complete by June 2003 in order to be included in the this. RELENG_5 branch. For security and stability Network - Work is in progress to lock the TCP and reasons, ff KSE cannot be finished in time then, by UDP portions of the stack. This also includes default, all KSE-specffic syscalls should be modified locking the routing tree, ARP code, and faddr and to return ENOSYS and all other KSE-specific inet data structures. RawlP, IPv6, Appletalk, etc, interfaces disabled. Deprecating KSE from RELENG_5 have not been touched. Locking the socket layer is but keeping it in the HEAD branch will pose problems in progress but is largely untested. None of the in porting bugfixes and features between the two hardware drivers have been locked. branches, so every effort should be made to finish it VFS - Initial pre-cleanup started. on time. buffer/cache - Initial work complete. Proc - Work on locking the proc structure was ongoing for a while but seems to have stalled. 3, GOALS FOR 5-STABLE CAM - No significant work has occurred on the The goals for the RELENG_5 branch point are: CAM SCSI layer. o All subsystems and interfaces must be mature Newbus - some work has started on locking down enough to be maintainable for improvements and the device t structure. bug fixes -- o Pipes - complete with the exception of VM-related equal or better stability from FreeBSD 4.8. optimizations. o no functional regressions from 4.8. It is important File descriptors - complete. to make sure that users do not avoid upgrading to Process accounting -jails, credentials, MAC labels, 5.x because of lost functionality. o and scheduler are out from under Giant. performance on par with FreeBSD 4.8 for most MAC Framework - complete common operations. Both UP and SMP Timekeeping - complete configurations should be evaluated. SMP has the kernel encryption - crypto drivers and core crypto potential to perform much better than 4.x, though framework are Giant-free. KAME IPsec and FAST for the purposes of creating the RELENG_5 IPSec have not been locked. branch, comparable performance between the two Sound subsystem - complete should be acceptable. kernel preemption - preemption for interrupt It is unrealistic to expect that the SMPng project will threads is enabled. However, contention due to Giant covering much of the kernel and most of the be fully complete by RELENG_5, or that performance will be significantly better than 4.x. However, focusing device driver interrupt routines causes excessive on a subset of the outstanding tasks will give enough context switches and might actually be hurting benefit for.the branch to be viable and maintainable. performance. Work is underway to explore ways to To break it down: make preemption be conditional. o ABI/API/Infrastructure stability Enough infrastructure must be in place and stable to allow Another issue with SMPng is interrupt latency. The fixes from HEAD to easily and safely be merged overhead of doing a complete context switch to a kernel interrupt thread is high and shows noticeable into RELENG_5. Also, we must draw a line as to
AUUGN Vol.24 ~ No.2 - 21 - June 2003 what subsystems are to be locked down when we http ://www. freebsd, org/doc/en_US. IS... uide/archs go into 5-STABLE. ¯ html. SMPng busdma interface and drivers - architectures like VM - Most codepaths, others than the ones that PAE/i386 and sparc64 which don’t have a direct interact with VFS, should be Giant-free for mapping between host memory address space and RELENG_5. expansion bus address space require the elimination for vtophys0 and friends. The busdma Network - Taking the network stack out from interface was created to handle exactly this under Giant poses the risk of uncovering latent problem, but many drivers do not use it yet. The bugs and races. Locking it down but not removing busdma project at Giant imposes further performance penalties. A http : //www. FreeBSD. org/proj ects/busdma/index, htm decision on whether to continue with locking the 1 tracks the progress of this and should be used to network layers, and whether they should be free determine which drivers must be converted for from Giant for RELENG-- 5 should be made no later RELENG_5 and which can be left behind. Also, than March 15. If the decision is made to allow the there has been talk by several developers and the locking to go forward, the IPv4, UDP, and TCP original author to give the busdma interface a layers should be free of Giant. IPv6 and the socket minor overhaul. If this is to happen, it needs to layers would be nice to have also, though it should happen before RELENG_5. Otherwise, differences be investigated whether they can be safely locked between the old and new API will make driver down in 5.x after the RELENG-- 5 branch. If the maintenance difficult. decision is to keep the network stack under Giant PCI resource allocation - PC2003 compliance for the branch, then an investigation should be requires that x86 systems no longer configure PCI made to determine if the present locking work can devices from the system BIOS, leaving this task be reverted and deferred to 6-CURRENT. solely to the OS. FreeBSD must gain the ability to Having a Giant-free path from the the TCP/IP manage and allocate PCI memory resources on its layers to the hardware should be investigated as it own. Implementing this should take into account could allow significant performance gains in the cardbus, PCI-HotPlug, and laptop dockstation network benchmarks. If this can be achieved then requirements. This feature will become the hardware interface layer needs to allow for increasingly critical through the lifetime of drivers to incrementally become free of Giant. RELENG_5, and therefore is a requirement for the Locking down at least two Ethernet drivers would RELENG_5 branch. be highly desirable. If the semantics are too complex to have the stack free of Giant but not the Most performance gains hinge on the progress of hardware drivers, investigation should be done SMPng Areas that should be concentrated on are: into making it configurable. Lesser-used network stacks like netatlk, netipx, Storage I/O - I/O performance suffers from two etc, should not break while this work is going on. problems, too many expensive context switches, However, locking them is not a high priority. and too much work being done in interrupt GEOM - At least 2 block drivers should be locked threads. Specifically, it takes 3 context switches in order to demonstrate that others can also be for most drivers to get from the hardware locked without changing the interface to GEOM. completion interrupt to unblocking the user The ATA driver is a good candidate for this, though process: one for the interrupt thread, one for the caution should be taken as it is also extremely GEOM g_up thread, and one to get back to the high-profile and any problems with it will affect user thread. Drivers that attempt to be efficient nearly all users of FreeBSD. and quick in their interrupt handlers (as all should Lazy context switching - sparc64 is the only be) usually also schedule a taskqueue, which adds platform that performs lazy context switching a context switch in between the interrupt thread when entering the kernel. The performance gains and the g_up thread and brings the total up to 4. promised by this are significant enough to require Two things need to be done to attack this: that it be implemented for all other Tier 1 o make all drivers defer most of their processing platform~. out of their interrupt thread. Significant KSE - The kernel side of KSE must be functionally performance gains have been shown recently in complete and have undergone a security audit. the aac(4) driver by making its interrupt libkse must be complete enough to demonstrate a handler be ’INTR_MPSAFE’ and moving all real-world application running correctly on it processing to a taskqueue. using the standard POSIX Threads API. Examples o investigate eliminating the taskqueue context would be apache 2.0, squid, and/or mozilla. A switch by adding a callback to the g_up thread functional regression test suite is also a that allows a driver to do its interrupt requirement for RELENG_5 and should test signal processing there instead of in the taskqueue. delivery, scheduling, performance, and process Network - Network drivers suffer from the security/credentials for both KSE and non-KSE interrupt latency previously mentioned as well as processes. KSE kernel and userland components from the network stack being partially locked must also reach the same level of functionality for down but not free from Giant. Possible strategies all Tier-1 platforms in both UP and SMP for addressing this are described in the previous configurations. The definition of ’Tier-1 platforms’ section. can be found at
AUUGN Vol.24. No.2 - 22 - June 2003 Other locking - XXX ? processor affinity, HyperThreading and KSE Benchmarks and performance testing - Having a awareness, and no regressions in performance or source of reliable and useful benchmarks is interactivity characteristics must be available for essential to identifying performance problems and RELENG_5. guarding against performance regressions. A sparc64 local console - neither syscons nor vt ’performance team’ that is made up of people and work on sparc64, leaving it with only serial and resources for formulating, developing, and ’fake’ OFW console support. This is a major executing benchmark tests should be put into support hole for what is a Tier 1 platform. Whether place soon. syscons can be shoe-horned in or wscons be adopted from NetBSD is up for debate. However, Comparisons should be made against both FreeBSD sparc64 must have local console support for 4.x and Linux 2.4.x. Tests to consider are: RELENG_5. Having this will also allow the XFree86 server to run, which is also a requirement the classic ’worldstone’ for RELENG_5. webstone - /usr/ports/www/webstone gcc/toolchain - gcc 3.3 might be available in time Fstress - http ://www. cs. duke. edu/ari/fstress for RELENG_5 and might offer some attractive ApacheBench - /usr/ports/www/pS-ApacheBench benefits, but also likely to introduce ABI netperf- /usr/ports/benchmarks/netperf incompatibility with prior gcc versions. ABI compatibility should be locked down for the Features: RELENG_5 branch. There has also been a request to move /usr/include/g++ to /usr/include/g++-v3 to be ACPI - Intel’s ACPI power management and device more compliant with the stock behavior of gcc. configuration subsystem has become an integral This should be investigated for RELENG_5 also. part of FreeBSD’s x86 and ia64 device gdb - gdb from the base system should work for configuration model. However, many bugs exist in Intel’s vendor code, our OS-specffic code, and sparc64. It should also understand KSE thread semantics, assuming that KSE is included in the motherboard BIOSes, causing many ACPI-enabled RELENG_5 branch, gdb 5.3 is available and there systems to fail to boot, misdetect drivers, and/or have many other problems. Fixing these problems are reports that it should address the sparc64 seems to be an uphill battle and is often times issue. causing a poor first-impression of FreeBSD 5.0. disklabel(8) regressions - The biggest casualty of Most x86 systems can function with ACPI the introduction of GEOM appears to be the disabled, and logic should be added to the disklabel utility. The ’-r’ option gives unpredictable bootloader and sysinstall to allow users to easily results in most cases now and should be removed and intuitively turn it off. Turning off ACPI by or fixed. Work is planned for a new unified default is prone to problems also as many newer interface for modifying labels and slices, however systems rely on it to provide correct interrupt this should not preclude disklabel from being routing information. Also, a centralized resource fixed. should be created to track ACPI problems and solutions. Linux uses the same Intel vendor Documentation: sources as FreeBSD, so we should investigate how they have handled some of the known problems. The manual pages, Handbook, and FAQ should be NEWCARD / OLDCARD - The NEWCARD free from content specific to FreeBSD 4.x, i.e. all subsystem was made the default for 5.0. text should be equally applicable to FreeBSD 5.x. Unfortunately, it contains no support for non- The installation section of the handbook needs the Cardbus bridges and falls victim to interrupt most work in this area. routine problems on some laptops. The classic 16- The release documentation needs to be complete bit bridge support, OLDCARD, still exists and can and accurate for all Tier 1 architectures. The be compiled in, but this is highly inconvenient for hardware notes and installation guides need users ~f older laptops. If OLDCARD cannot be specific attention. completely deprecated for RELENG_5, then If FreeBSD 5.1 is not the branch point for provisions must be made to allow users to easily RELENG_5 then the Early Adopters Guide needs install an OLDCARD-enabled kernel. to be updated. This document should then be Documentation should be written to help trasition removed just before the release closest to the users from OLDCARD to NEWCARD and from RELENG_5 branch point. ’pccardd’ to ’devd’. The power management and ’dumpcis’ functionality of pccardc(1) needs to be 4. ~CHEDULE brought forward to work with NEWCARD, along with the ability to load CIS quirk entries. Most of If branching RELENG_5 at the 5.1 release is this functionality can be integrated into devd and paramount, 5.1 will probably need to move out by at devctl. least 3 months. The schedule would be: New scheduler framework - The new scheduler o Jun 30, 2003 - KSE and SMPng feature freeze framework is in place, and users can select o Aug 4, 2003 - 5.1-BETA, general code freeze between the classic 44bsd scheduler and the new o Aug 18, 2003 - 5.1-RC1, RELENG_5 and ULE scheduler. A scheduler that demonstrates
AUUGN Vol.24, No.2 - 23 - June 2003 RELENG 5 1 branched down someone else grabs your address) the email is Aug 25, 2003 - 5.1-RC2 delivered to the machine that your old address was Sept 1, 2003 - 5.1-RELEASE allocated to --- and bounces.
Taking an incremental approach might be more In addition, my current ISP blocks port access to the beneficial. Releasing 5.1 in time for USENIX ATC SMTP port, so there’s no point in running a mailer 2003 will provide a wide audience for productive daemon directly accessible from the internet. feedback and will keep FreeBSD visible. In this scenario, 5.1 should offer a significant improvement LIVING WITH THE PROBLEM over 5.0 in terms of bug fixes and performance. Lockdowns and improvements to the storage The simplest thing to do is just to live with the subsystem and scheduler should be expected, the problem. Advertise the email address you got from NEWCARD/OLDCARD issues should be addressed, your ISP, and use IMAP or whatever to read your and all known bugs and regressions from the 5.0 email. errata list should be fixed. KSE and other SMPng tasks that cannot finish in time for 5.1 should also However, this defeats the purpose of having your own not reduce the stability of the release. The schedule domain, and means that when you change your ISP, for this would be: or your ISP changes the addresses on you, you have o May 5, 2003 - 5. I-BETA, general code freeze to tell everyone the new domain name. ° May 19, 2003 - 5.1-RC1, RELENG 5 1 branched ¯ May 27, 2003 - 5.1-RC2 ¯ Jun 2, 2003 - 5. I-RELEASE Tram) PARTY HOSTING SERVICES ° Jun 30, 2003 - KSE and SMPng feature freeze o Sept 1, 2003 - 5.2-BETA, general code freeze There are any number of third party email hosting o services --- Hotmail, Yahoo! Mail, etc., etc. Most will Sept 15, 2003 - 5.2-RC1, RELENG-- 5 and RELENG 5 2 branched not host your entire domain’s email for free, although o Sept 22, 2003 - 5.2-RC2 some are fairly cheap. o Sept 29, 2003 - 5.2-RELEASE The one I’ve found to be best is fastmail.fm an Australian company whose entire business is 5o POST RELENG --5 DIRECTION handling outsourced emafl. They’ll do low volume As with all -STABLE development streams, the focus marl handling for free; and for slightly more will host should be bug fixes and incremental improvements. your entire email requirements. dust like normal, everything should be vetted through the HEAD branch first and committed to RELENG_5 USING MAmFORWARD AND ZONEEDIT with caution. As before, new device drivers, incremental features, etc, will be welcome in the If your emafl requirements are small (less than 200M branch once they have been proven in HEAD. per year, only a few addresses), and you host your DNS with zoneedit.com, then you can set up a poor- Further SMPng lockdowns will be divided into two man’s MTA as follows: categories, driver and subsystem. The only subsystem that will be sufficiently locked down for RELENG_5 Set up exim or whatever behind your firewall, to will be GEOM, so incrementally locking down device do local deliveries as you wish. drivers under it is a worthy goal for the branch. Full subsystem lockdowns will have to be fully tested and proven in HEAD before consideration will be given to Set up a free IMAP account (for example with merging them into RELENG_5. fastmail.fm for each local address. The names can be random gibberish, as end users are never going This article is re-printed with permission. The originals to see them. can be found at: Set up a MailForward for each user at http: / / www. bsdforums, org /forums / showthread.php ? zoneedit.com to point each to a different free IMAP threadid=6892 account. Set up fetchmail to poll the IMAP accounts at 15 minute intervals and give the result to the local lYla l and Dynamic IF smtp server. Author: Peter Chubb
AUUGN Vol.24, No.2 - 24 - June 2003 options no rewrite !fetchalilii:i My home domains now all use mailhost.com.au and user ’XYZ890’ there wihh passw0rd iii ’PASSWORD’ is.,user2’ here ODMR for marl, and ZoneEdit.com for DNS. I’m still optiohs no rewrite fetchall looking for a free web host that can do PHP, CGI and MySQL.
You could of course configure fetchmail in multidrop Mailhost.com.au isn’t yet up for commercial access; mode, and deliver all email for your domain to one I’ve been told that that’s coming soon. In the emafl account (the one provided by your ISP, meantime, their beta program is open; contact Gavin perhaps). And it’s a good idea to do this as a catchall. Carr ([email protected]) for details.
pop-server.~ic.bigpond.net.au aka mai.l.d~s~r.. 0mTW~:thprot~ .POP3~ and options ...... no dns envel0pe3 ,,Received" localdomainsYourDomain.id.au user. ’pchubb there with. p&ssword De ec ion Sys em ’PassWord’~il~ i tO pchubb@big~0~di:~het~iaU=p~tle~:tll* here Part I Author: Klaus M011er
The main disadvantage is that spare filtering is a little Basically, there are the following three areas: harder; you can’t set up a tarpit or bounce detected spam straight away, because all email is relayed via Information Sources your mail host. Response
AUUGN Vol.24 ~ No.2 - 25 - June 2003 Analysis NETWOm~ INT.VSION ]DETECTION (NIDS)
Response and Analysis is covered again more The main task of a Network IDS is the analysis and precisely later, the different kinds of "Information interpretation of packets transferred over the Sources" right now. Because of the extensive network. Signatures are used to examine packets for possibilities to attack a PC or a network there are "conspicuous" content like e.g. /etc/passwd. We will different kinds of IDS (of course, they can be discuss this in the course of the article. Mostly, so combined with each other) which basically differ in called sensors (often single hosts) are used which do the points where they control and what they control nothing except analyze traffic and f necessary start (Information Sources). an alarm. As this is their only task it is possible to secure those sensors better. In this context there HOST - ]~ASED INTRUSION DETECTION exists often the so called "Stealth Mode", i.e., the sensors act "invisible" so that it is more difficult for Host-Based Intrusion Detection Systems analyze the attacker to localize or attack them. information on a single host. As they normally do not look at the whole network traffic but "only" at the "Stealth mode can be used for network sensors to activities on the same host they are able to make make the promiscuous mode network interface card more precise statements about the kind of attack. In (NIC) invisible because it simply doesn’t have an IP addition, you can see directly the impact on the address in this mode. This is achieved by using a particular PC. E.g that a specific user started an separate NIC in each network sensor machine to attack successfully. Host-based IDSs use mostly two communicate with the console over, usually, a different sources to provide information about physically isolated secure network. Stealth mode activities: system logs and operating system audit makes it more difficult for a hacker to attack the trails. Both have advantages and disadvantages as network sensor itself." operating system audit trails are more exact, detailed and can give better information about activities while This paragraph (taken from the description for system logs mostly deliver only the most important RealSecure) clarifies again what a sensor in Stealth information and are therefore considerably smaller. Mode is. The sensor switches into promiscuous mode System logs can be controlled and analyzed better (simply put: the mode in which the network device because of their size. reads the whole network traffic) and has no own IP. With this it should be made as difficult as possible for Advantages: the attacker to localize the sensor. By the way, this is o you "see" the impact of an attack and can react the mode used by packet sniffers like tcpdump... better on it o you can recognize Trojan horses etc. better as the Basically, you can use sensors in following areas: available information/p ossibflities are very extended Within the firewall (simplified): o you can detect attacks which cannot be detected by Network based IDS because traffic is often encrypted ° you can observe activities on your host exactly
Disadvantages: ° they are not good in recognizing scans o they are more vulnerable to DoS attacks o the analysis of operating system audit trails is very time-consuming because of its size. o they stress the host’s CPU performance (partly) immensely
Examples: o Tripwire This diagram shows only one possible solution and http: //www. tripwire, com/pro ducts/index, cfml shall only clarify that the sensors are not between ° SWATCH DMZ and firewall. If the expression DMZ is unknown http: / /freshmeat. net/redir/swatch/10125/url_ho to you: it stands for DeMilitarized Zone and is an area mepage/swatch which is secured from all sides. o DragonSquire http: //www. enterasys, com/ids / squire / If sensors are within the firewall it is easier for them ° Tiger to decide if a firewall was eventually configured http://freshmeat.net/redir/tiger-audit/30581/url improperly and in addition you get to know if a _homepage/tiger potential attack came through the firewall or not. o Security Manager According to experience, sensors create less false h.ttp: //www. netiq, corn/products / sm / default, asp positives as they act "less inconspicuously" and therefore traffic is less (~vhereby the probability of a
AUUGN Vol.24, No.2 - 26 - June 2003 false alarm drops), the impacts of an attack
Sensors placed within a firewall serve as intrusion Examples: detection. Should your sensor fulfill this task you ¯ NetRanger [http://www.cisco.com] should then put it within the firewall ... o Dragon [http: //www.securitywizards.com] o NFR [http://www.nfr.netl Outside the firewall (simplified)" o Snort [http://www.snort.org] o DTK [http://all.net/dtk/dtk.htmll o ISS RealSecure [http: //www. uh. edu/infotech / software/unix/reals ecure/index.html]
Though I distinguish between HIDS and NIDS the differencebecomes smaller and smaller as in the meanwhile HIDS, too, have the basic functionality of NIDS. Known ID Systems like ISS RealSecure call themselves not only NIDS but "host-based and network-based IDS". In the future, the difference between both systems will become even less clear (so that both systems "grow together" more and more). Sensors are often placed outside the external firewall as shown in the diagram. The reason for this is that NETWORK NODE ].NTRUSION DETECTION (NNIDS) the sensor can receive and analyze the whole traffic from the internet. If you place the sensor here it is Basically, this new type (NNIDS) works like typical not ensured that really all attacks are filtered and NIDS, i.e., you take packets from network traffic and detected, e.g., TCP attacks. In this case, you would analyze them. But it only concerns packets which are try to detect the attack by using so called signatures addressed to the network node (this is where the (more about this in the part about signatures). name comes from). Another difference between NNIDS Nevertheless, this placement is preferred by many and NIDS is that NIDS run in promiscuous mode experts because there is the advantage to log and while NNIDS does not run in promiscuous mode. As analyze the attacks (to the firewall...), thereby, the not every packet is analyzed the performance of the admin can see where he should change the firewall system will not suffer to much, such systems run very configuration. fast as a rule.
Sensors placed outside the firewall serve as attack APPLICATION BASED ~_NTRUSION DETECTION detection (different to placing in within the firewall!). If your sensors should detect these attacks you Application Based IDS’s are a subgroup of host-based should put them outside the firewall... IDS but I mention them here separately. It monitors the interaction between user and program whereby Outside and within the firewall mainly additional log files are created to provide information about the activities. As you operate Actually, this variant connects both previously directly between user and program you can very mentioned variants. But, the danger is that you easily "filter" conspicuous behaviour. You can configure the sensors and/or the firewall wrongly, i.e., visualize an ABIDS as in the following diagram: you cannot simply add the advantages of both variants to this variant. These are not the only possibilities to placing sensors, you can, of course, place them somewhere else but the above mentioned places are. the most commonly used. .
Advantages: o the sensors can be secured well as they "only" observe traffic o you can detect scans better - on the basis of ...... signatures,., you can "filter" traffic (actually, we will show later that this is not always the case) Advantages:
Disadvantages: you work at unencrypted level, in opposition to, o the probability of so called false negatives (attacks e.g., Network Based IDS, whereby analysis is more are not detected as attacks) is high as it is difficult feasible to control the whole network you can detect and prevent conspicuous ° mostly, they have to operate on encrypted packets commands which the user wants to use on/with where analysis of packets is complicated the program o as a difference to host-based IDS they do not see
AUUGN Vol.24 ~ No.2 - 27 - June 2003 Disadvantages: concerned...?) Reaction: the (counter) action, o no security and few possibilities to detect, e.g., detection alone does not serve anything if you do not Trojan horses (as you do not act in kernel space) take steps against it. Padded Cell Systems offers o the log files created by this kind of IDS are easy special possibilities which concern counteractive attack targets for "attackers" and not so secure measures. So, reaction implies what you do / the IDS like, e.g., operating system audit trails does when you react to an attack.
STACK BASED INTRUSION DETECTION Later, we will clarify the different response options of IDS again... In addition, honeypots can be classified in two bigger categories, research and production Also a new kind of IDS is the so called Stack Based honeypots. Production honeypots are to help lessen Intrusion Detection System (SBIDS). But potential risks in a network while research honeypots momentarily, I do not have enough information which serve to collect and inquire information about the would allow me to brief you about this type of IDS. In attackers. a future version of this paper the description will certainly follow... Prevention: Honeypots are surely not the most appropriate systems to avert attacks. As you will see later at Padded Cell Systems, a wrong programmed and The word Honeypot is used in a lot of different wrong configured honeypot can even facilitate attacks contexts. To avoid confusion I will stick to the whereby this covers the whole subject of IDS. definition from the SANS Institute’s Intrusion Deception FAQ: "Honeypots are programs that Detection: simulate one or more network services that you Seemingly, that is the biggest advantage of honeypots designate on your computer’s ports. An attacker as they can be excellent in detecting attacks. In this assumes you’re running vulnerable services that can context, they can above all analyze and interpret be used to break into the machine. A honeypot can system logs. The placement of the honeypot plays a be used to log access attempts to those ports decisive role, an admin can only benefit by honeypots including the attacker’s keystrokes. This could give f the are configured and placed properly. Often, they you advanced warning of a more concerted attack". are placed between important servers to detect In some cases, a honeypot is simply a "box". From eventual scans of the whole network or in the the outside it appears vulnerable, while it logs traffic proximity of one important server to detect illegal and also analyzes it. Thus, because honeypots access with the help of port redirection (e.g., f appear vulnerable and no connections should be someone tries to access the server at certain ports he created every connection to the honeypot is seen as will be redirected to the honeypot, as this access suspicious should not be allowed there should be a warning).
Reaction: Internet In the part about Responses (read beneath), you can see which possibilities a honeypot has to react on events. When using/creating a honeypot you should ext. Firewall keep in mind that the host should look most attractive to an attacker, i.e., it should not be too difficult to attack the host. Basically, there should be Honeypot " ~l <--- in DMZ :_f=ii.~__ .... few changes from the default configuration as too many changes only seem conspicuous. Nevertheless, you should not forget the actual idea, i.e., control ~int.~Firewall ~ traffic, log activities .... One approach of which I have heard several times is to place the honeypot in its own subnet behind a firewall. This has normally So, the internal network does not have to be exposed alarm capabilities and so can display warnings. As because a honeypot is normally placed in the DMZ logs are sought-after targets of attackers you should (DeMilitarized Zone). The major task of a honeypot not log them on the host itself but send it to another consists mostly in analyzing traffic, e.g., when certain server. Sometimes, sniffers are used to search traffic processes were started, which files were changed .... for certain signs and "log" traffic. If you collected so that you can create a quite good profile of potential enough information you should analyze the logs and attackers. look for weaknesses of the network, respectively rectify them. Because of the amount of information it But not all honeypots are alike so you can distinguish should be easier to close security holes and take between three "variants" which enhance security of action against attackers. But you should consider the system in different ways: that honeypots are not completely legal, respectively you should be attentive when using honeypots. The Prevention: prevent an attack detection: notify that problem is that a honeypot can be interpreted as an there was an attack (possibly a localization of the "invitation to attack" and if you realize that the host attacker, ~vhat kind of attack, which services are was attacked (and you do not initiate counteractive
AUUGN Vol.24 o No.2 - 28 - June 2003 measures) that could be interpreted additionally as an Such circumstances are still abused these days, act of gross negligence. Some judiciary e.g., if there is a mutual trust between two hosts, argumentation against honeypots sound banal but i.e., the user of one host can log in another you should check the law at your place. If someone without password (or else). If an attacker attacks another network from your network and accomplishes a comparable effect with his attack it creates damage you will (probably) pay for it for is sometimes very difficult to discover such already mentioned reasons. "abused" mutual trust.
Further inquiries found that the application of 2) Integrity honeypots is, e.g., in Europe is no problem (if you find If the user changes important configuration and a law which contradicts this, write to me, please. My system files, replaces existing binaries by his search did not find such a law...). own... Often, existing binaries (like, e.g., /bin/login) are replaced by own binaries. There, PADDED CELL SYSTEMS the respective user only has to give a fixed password (in the source) and gets (mostly) root privileges. Such attacks serve to expand ones own These systems normally work together with one of the privileges, e.g., by means of installing a login other systems. If the used IDS notifies about an backdoor. In fact, there are tools like Tripwire but attack the respective attacker is forwarded to a not everyone uses it. In addition, there are often "padded cell host". As soon as they are in this devastating errors in configuration and use which padded cell host they cannot make any damage as the make Tripwire an extra risk in such cases. whole environment is simulated, a "bogus" environment. It is important that this environment is 3) Availability as realistically presented as possible, respectively the By this, the reachability of the system is affected. attacker has to think that the attack was successful This could cause the ban of certain users to log in (sort of). There is a possibility to log, analyze and at all or that you can only log in at certain times... follow every activity of the attacker. The problem with The aim is mostly to work "undisturbed" and using padded cell systems is that it is possible that it cannot be discovered by any user. is illegal to employ them in a particular country (as eventually such counter activities of the IDS can be 4) Control seen as "attack", though they are only meant to E.g, ff the attack is for the purpose of "overtaking" collect information about the real attacker). the system that has control over files, programs... When this happens, you should consider that the Advantages: attacker gets also all other previously listed o once in a padded cell host, attackers cannot do options. If he has total control over the system he any more damage as it is only a "bogus" can change, restrict.., what he vvants. environment o the admin can follow/log the activities of the Before I get to the different types of attack (DOS, attacker directly to get more information about the DDoS, Scans .... ) I will make just a little excursion to attack and the target of the attack and so is able the world of Integrity Checkers. Tools like Tripwire to initiate counteractive measures more easily are part of host based IDS, the issue of an Integrity Checker is to check the integrity of diverse fries and Disadvantages: start an alarm if you detect changes on a file. o eventually, usage of padded cell systems is not legal (the same as honeypots, in Europe this 1) Creation of a database should be no problem) The first step after the installation of an Integrity ¯ the implementation of such a system is very Checker like Tripwire is the creation of a database. difficult and requires some knowledge as the whole This step should (must) be made in a situation at environment has to be simulated correctly. If the which the condition of the system is not admin makes a little mistake somewhere this compromised. If you create the database at a later system could by all means open additional time (and maybe the attacker has replaced the security holes existing binaries) the use of an Integrity Checker would not work as it should. In such a case, the ~]~YPES OF ATTACK replaced binaries would be considered as "originals" and ff the admin replaces these binaries Before you develop or use an IDS you should specify by the actual "originals", an alarm would be the potential dangers, also which attacks you expect. started. Most of the tools offer extensive Despite the different possibilities attacks and their possibilities to specify files/directories of which target can be defined in four categories: you want to create checksums. We simply generate a fingerprint of the system. (Tripwire 1) Confidentiality calls this Database Initialization Mode) The consequences of the attack are that the mutual trust to a certain user changed (mostly to 2) Check of Integrity his favor ;), e.g., that you do not have to After the admin has a database (the fingerprint) of authenticate anymore for a certain program... the system he can check his system when he
AUUGN Vol.24 o No.2 - 29 - June 2003 wants to. This is done simply by comparing the replaced. If this is the case, execution is checksums in the database with the currently prohibited. available files on the disk, Tripwire offers more possibilities. Simply read the manpage for This concept is only one possible for realtime integrity Tripwire or associated documentation. checkers (at least I arranged this concept for me). As a difference to integrity checkers you do not rely on Those two steps are actually found in most Integrity the admin checking files regularly, you try to check Checkers. Tripwire offers the possibility to update the the correctness of the binary before execution and not database (when having installed new tools...) or to let it execute if necessary... update the policy file, test the email notification system... Besides the above mentioned categories (integrity, control .... ) attacks can be differentiated otherwise, of Which errors can be made when using Integrity course, e.g., how to attack, respectively with what Checkers ? means. Also, here are naturally many possibilities, but the most common attacks against IDSs are: The first and grossest error an admin can commit is to create an MD5 hashsum database when existing Scans binaries have been replaced by an attacker already. If These days, scans are the common "attacks", the an admin assumes that an attack was successful and problem here is that the IDS should not produce afterwards creates the hashsum database of this too many false positives. Mostly, scans serve to "compromised" system, the binary, replaced by the get (further) information about a host/network attacker (e.g., login backdoor), would be considered as (e.g., to start subsequent attacks). What the "real" binary. You should create the database as information an attacker can get about your own soon as possible after installation. One other big network you can see with the following scan result error when using Integrity Checkers (like, e.g., (nmap - only a small example which does not at all Tripwire) is to leave the hashsum database on hard show all possibilities of nmap): disk. On first sight, it seems absolutely normal to leave the database on hard disk but if you have to ~ leave it there you should at least make sure that the Host (192 ~ 168 ~ 0,0) AUUGN Vol.24 o No.2 - 30 - June 2003 ~ 4500 0028 0000 4000 ff06:7dcdTf00 0001 7f00 000i 0050 e5651 069~ ~525’ 0~000 0000 5004 0000 a070 0000 .~ ~ Using many of the most different, scan techniques o2:10 : 16.114704 Diablo. 1727 > Diabl0. 821i S. 196002918:196002918 (0) ~ ~ ..... together result in a mass of information which allows win 32767 :